I want to be able to set various token scopes to control access to various parts of my API, based upon the user’s group membership.
I’m only seeing a way to control access using very specific combinations of requested scopes. I’m referring to Authorization Server / Access Policies.
How can I configure Okta to automatically set token scopes in the response based upon groups/roles/etc?
For comparison, this would be something similar to Auth0’s RBAC settings for APIs – “the scope claim of the access token includes an intersection of the requested permissions and the permissions assigned to the user”